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Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

2. Claims 1-2, 4, 8, 11-12, and 17-25 are rejected under 35 U.S.C. 103(a) as being 

unpatentable over Shrader et al. (U.S. Patent 6,374,359), and further in view of Rail 

(Patent Application Publication 2003/01 10399) and Shibata et al (U.S. Patent 

5,586,185). 

For claims 1, 17 and 21, Shrader et al. teach a method for authenticating a web 
session comprising: receiving a user ID (note column 5, lines 44-50); encrypting a 
message using an encryption key (note column 7, lines 21-23); and converting the 
encrypted message into an ASCII string (note column 7, lines 33-36). 

Shrader et al. differ from the claimed invention in that they fail to specify: 
computing a message digest of the user ID; computing an expiration timestamp for the 
session; and combining the message digest and expiration timestamp. 

Rail teaches a similar device as Shrader et al. in which, a message digest of the 
user ID is computed (note paragraph [0036]); an expiration timestamp for the session is 
computed (note paragraph [0032]); and the message digest and expiration timestamp 
are combined (note paragraph [0036]). 
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It would have been obvious to one of ordinary skill in the art at the time of the 
invention to form the device of Shrader et al. using the methods of Rail for the added 
securities of knowing the cookie has not been tampered with (message digest) and the 
cookie is not being used after a given length of time has elapsed (timestamp). 

The combined invention of Shrader et al. and Rail differ from the claimed 
invention in that they fail to specify: selecting an index number; accessing an 
encryption key using the index number; and encrypting the message using the 
accessed encryption key. 

Shibata et al. teach a communication method in which encryption keys are stored 
in table with an index number. When sending a message, the user selects an index 
number (note column 10, lines 43-51), the encryption key is accessed using the index 
number and the message is encrypted using the selected key (note column 18, lines 54- 
64). 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to combine the inventions of Shrader et al. and Rail with the encryption 
method of Shibata et al. Rail teaches the use of "any suitable private encryption key" 
and Shrader et al. teach "preferably, the key pair is constructed and stored locally (for 
root user access only) during configuration of the Web server." The method of Shibata 
et al. meets these qualifications and teaches improved key management through "a 
'cipher key table' in which a plurality of cipher keys and their index numbers are 
updatably registered." 
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For claims 2 and 22, the combination of Shrader et al., Rail and Shibata et al. 
teach a method of claims 1 and 21 , wherein the step of combining the message digest 
and expiration timestamp more specifically includes concatenating the message digest 
and expiration timestamp (note paragraph [0036] of Rail). 

For claim 4, the combination of Shrader et al., Rail and Shibata et al. teach a 
method of claim 1 , wherein the step of receiving the user ID more specifically comprises 
receiving the user ID through an HTML page (note column 5, lines 44-47 of Shrader et 
al.) that is communicated from a remote client browser (note paragraph [0021] of Rail). 

For claims 8, 20 and 23, the combination of Shrader et al., Rail and Shibata et al. 
teach a method of claims 1,17 and 21 , wherein the step of accessing the encryption 
key more specifically comprises retrieving an encryption key from a storage segment 
containing a plurality of encryption keys (note column 7, lines 20-23 of Shibata et al.), 
wherein the retrieved encryption key is obtained from a location or position within the 
storage segment based upon the index number (note column 18, lines 54-64). 

For claim 1 1 , the combination of Shrader et al., Rail and Shibata et al. differ from 
the claimed invention in that they fail to specify the encrypted message is converted into 
an ASCII string using a "printf" command. 

It would have been obvious to one of ordinary skill in the art to convert the 
encrypted message to an ASCII string using a "printf' command because it was well 
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known in the art that the printf command returns an ASCII string when printing an 
integer using the "%c" conversion specifier. 

For claim 12, the combination of Shrader et al., Rail and Shibata et al. teach a 
method of claim 1 , wherein the step of converting the encrypted message into an ASCII 
string more specifically includes converting the encrypted message into a hexadecimal 
value (note column 6, lines 43-47 and FIG. 7 of Shrader et al.). 

For claim 18, the combination of Shrader et al., Rail and Shibata et al. teach a 
method of claim 17, further including a system to generate an expiration timestamp 
(note paragraph [0032] of Rail). 

For claims 19 and 24, the combination of Shrader et al., Rail and Shibata et al. 
teach a method of claims 17 and 21, further including a system configured to 
communicate the ASCII string to a remote computer (note column 7, lines 33-36 of 
Shrader etal.). 

For claim 25, the combination of Shrader et al., Rail and Shibata et al. differ from 
the claimed invention in that they fail to specify the step of communicating the ASCII 
string to a person through voice communications. 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to communicate the ASCII string to a person through voice communication. It 
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is common practice to recite pieces of information (passwords, social security numbers, 
credit card numbers) over the phone to authenticate an individual to a service providing 
entity. For example, when a home security alarm is activated, the alarm company will 
call the homeowner and require a password to be recited in order to authenticate the 
homeowner and establish the alarm was a false positive. 

3. Claims 3, 14 and 15 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Shrader et al., Rail and Shibata et al. as applied to claim 1 above, and further in 
view of Berners-Lee et al. and Verio. 

For claim 3, the combination of Shrader et al., Rail and Shibata et al. teach a 
method of claim 1 , further comprising passing the ASCII string to a remote computer 
using FTP (note paragraph [0021] of Rail) within an HTML page (note paragraph [0024]) 
of Rail). 

The combination of Shrader et al., Rail and Shibata et al. differ from the claimed 
invention in that they fail to specify the ASCII string is passed in an FTP URL being of 
the form ftp://ID:ASCII@hostname, wherein ID is the user ID and ASCII is the ASCII 
string. 

Berners-Lee et al. teach "URL schemes that involve the direct use of an IP-based 
protocol to a specified host on the Internet use a common syntax for the scheme- 
specific data: //<user>:<password>@<host>:<port>/<url-path>" They go on to specify 
that <user> and <password> as "user: An optional user name. Some schemes (e.g., 
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ftp) allow the specification of a user name. Password: An optional password. If present, 
it follows the user name separated from it by a colon." 

The Verio glossary defines password as "A series of characters that enables 
someone to access a file, computer or program." This definition would make the ASCII 
value a password because it is a series of characters that are enabling a user to access 
files on an FTP server. It would have been obvious to one of ordinary skill in the art at 
the time of the invention to form the combination of Shrader et al., Rail and Shibata et 
al. passing the ASCII value in an FTP URL because Berners-Lee et al. teach the 
convenience of passing user ID's and password values to an FTP server through the 
URL. 

For claim 14, the combination of Shrader et al., Rail and Shibata et al. teach a 
method of claim 3, further including the step of passing the index number to the remote 
computer (note column 19, lines 13-43 of Shibata et al.). 

For claim 15, the combination of Shrader et al., Rail and Shibata et al. teach a 
method of claim 14, wherein the step of passing the index number to the remote 
computer more specifically comprises passing the index number to the remote 
computer separate from the ASCII string (note column 19, lines 13-43 of Shibata et al.). 

4. Claim 5 is rejected under 35 U.S.C. 103(a) as being unpatentable over Shrader 
et al., Rail and Shibata et al. as applied to claim 1 above, and further in view of Jenkins. 
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For claim 5, the combination of Shrader et al., Rail and Shibata et al. differ from 
claimed invention in that they fail to specify the message digest of the user ID more 
specifically comprises computing a four-byte binary value. 

Jenkins teaches a hashing function that "Returns a 32-bit value." Note that a four 
bytes value is equal to 32 bits. 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to form the combination of Shrader et al., Rail and Shibata et al. that used the 
four byte hashing function of Jenkins to create the user ID message digest because Rail 
teaches to use "a suitable hashing function" and Jenkins teaches his hash function is 
"faster and more thorough than the one you are using now." 

5. Claim 6 is rejected under 35 U.S.C. 103(a) as being unpatentable over Shrader 
et al., Rail and Shibata et al. as applied to claim 1 above, and further in view of 
Krishnaswamy et al (U.S. Patent 6909708). 

For claim 6, the combination of Shrader et al., Rail and Shibata et al. differ from 
claimed invention in that they fail to specify the expiration timestamp is computed in 
Epoch format. 

Krishnaswamy et al. teach a communication method that "records timepoints in 
the epoch time format." 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to form the combination of Shrader et al., Rail and Shibata et al. that 
computed the timestamp in Epoch format because Krishnaswamy et al. teach "This 
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embodiment solves the problems associated with converting to and from daylight 
savings time because daylight savings time is a local time offset and does not affect the 
epoch time. Furthermore, the timepoints in epoch time format require less space in the 
call record than they do in local switch time format." 

6. Claims 7, 10 and 13 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Shrader et al., Rail and Shibata et al. as applied to claim 1 above, and further in 
view of Tan (U.S. Patent 6,490,353). 

For claim 7, the combination of Shrader et al., Rail and Shibata et al. differs from 
the claimed invention in that they fail to specify the index number used to access the 
encryption key is randomly generated. 

Tan teaches a key management scheme where "it may select these [key start 
points and lengths] by randomly selecting table entry numbers." 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to form the combination of Shrader et al., Rail and Shibata et al. with randomly 
selected index numbers for the added security of an unpredictable sequence of 
encryption keys. 

For claim 10, the combination of Shrader et al., Rail and Shibata et al. differs 
from the claimed invention in that they fail to specify the step of concatenating the index 
number to the encrypted message. 
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Tan teaches a key management scheme where "the seed (randomly generated 
index number) may be communicated as part of the message transmission." 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to form the combination of Shrader et al., Rail and Shibata et al. which 
included the index number in the message transmission as a convenient way of storing 
the index number so the server would not have to locally store which cookie is 
encrypted with which key. It is well known in the art that an easy way to include two 
pieces of data in one message is to concatenate the two pieces of data together. 

For claim 13, the combination of Shrader et al., Rail and Shibata et al. differ from 
the claimed invention in that they fail to specify the encrypted message and index 
number are converted into an ASCII string using a "printf command. 

It would have been obvious to one of ordinary skill in the art to convert the 
encrypted message to an ASCII string using a "printf 7 command because it was well 
known in the art that the printf command returns an ASCII string when printing an 
integer using the "%c" conversion specifier. 

7. Claim 9 is rejected under 35 U.S.C. 103(a) as being unpatentable over Shrader 
et al., Rail and Shibata et al. as applied to claim 1 above, and further in view of Jenkins 
and Krishnaswamy et al. 
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The combination of Shrader et al., Rail and Shibata et al. differs from the claimed 
invention in that they fail to specify the encrypted combined message digest and 
timestamp are an eight-byte binary value. 

Jenkins teaches a hashing function that "Returns a 32-bit value." Note that a four 
bytes value is equal to 32 bits. Krishnaswamy et al. teach an epoch timestamp that is 
stored in 16 bits. 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to use DES to encrypt the message digest and timestamp. Note, because of 
the block encryption properties of DES, an input of 48 bits (32 bit hash plus 16 bit 
timestamp) would result in a one-block output of 64 bits or eight bytes. 

8. Claims 26-28 rejected under 35 U.S.C. 103(a) as being unpatentable over 
Shrader et al., Rail and Shibata et al. as applied to claim 21 above, and further in view 
of Stern (U.S. Patent 6,1 10,044). 

For claims 26-28, the combination of Shrader et al., Rail and Shibata et al. differs 
from the claimed invention in that they fail to specify the ASCII string is printed onto a 
ticket selected from the group consisting of an airline ticket, a concert ticket, an 
employee ID card, and an event ticket and further specifying the ASCII string be printed 
on the ticket in a form that it may be later electronically scanned for verification. 

Stern teaches a ticket printing and verification method which "contains a barcode 
printer (or other means for embodying a machine-readable indicium in a payout ticket), 
which prints both alphanumeric and barcode information on a payout ticket, including a 
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validation number." Note that in this case, a payout ticket would be an event ticket 
because successful verification of the ticket results in a payout event. Stern also 
teaches, "Selection circuitry 105 may also contain circuitry for encrypting all or part of 
the barcoded data imprinted on the payout ticket." 

It would have been obvious to one of ordinary skill in the art at the time of the 
invention to form the combination of Shrader et al., Rail and Shibata et al., which printed 
the ASCII string on an event ticket with a bar code that can be electronically scanned 
because Stern teaches a method for securely producing and verifying monetary payout 
tickets. 

9. Claim 16 rejected under 35 U.S.C. 103(a) as being unpatentable over Shrader et 
al., Rail, Shibata et al., Berners-Lee et al. and Verio as applied to claim 14 above, and 
further in view of Tan. 

For claim 16, the combination of Shrader et al., Rail, Shibata et al., Berners-Lee 
et al. and Verio differs from the claimed invention in that they fail to specify converting 
the encrypted message into an ASCII string more specifically comprises converting a 
combination of the encrypted message and the index number into an ASCII string, 
wherein the index number is communicated to the remote computer as a part of the 
ASCII string. 

Tan teaches a key management scheme where "the seed (randomly generated 
index number) may be communicated as part of the message transmission." 
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It would have been obvious to one of ordinary skill in the art at the time of the 
invention to form the combination of Shrader et al., Rail, Shibata et al., Berners-Lee et 
al. and Verio which includes the index number in the message transmission before it is 
converted to an ASCII string as a convenient way of storing the index number so the 
server would not have to locally store which cookie is encrypted with which key. 



10. Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to David J. Pearson whose telephone number is (571) 272- 
071 1 . The examiner can normally be reached on Monday - Friday, 8:00am - 4:30pm. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Emmanuel Moise can be reached on (571) 272-3865. The fax phone 
number for the organization where this application or proceeding is assigned is 571- 



Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). 
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